Presentation is loading. Please wait.

Presentation is loading. Please wait.

CT 320: Network and System Administration Fall 2014 * Dr. Indrajit Ray Department of Computer.

Similar presentations


Presentation on theme: "CT 320: Network and System Administration Fall 2014 * Dr. Indrajit Ray Department of Computer."— Presentation transcript:

1 CT 320: Network and System Administration Fall 2014 * Dr. Indrajit Ray Department of Computer Science Colorado State University Fort Collins, CO 80528, USA Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 * Thanks to Dr. James Walden, NKU and Russ Wakefield, CSU for contents of these slides

2 Topics Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall Introduction 2.Vulnerabilities, threats and attacks 3.Risk Management 4.OS Hardening 5.PAM 6.Passwords 7.Firewalls & Intrusion Prevention Systems

3 Overview Computer Security: protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

4 Key Security Concepts

5 Security Objectives Confidentiality – Prevent / detect / deter improper disclosure of information Integrity – Prevent / detect / deter improper modification of information Availability – Prevent / detect / deter improper denial of access to services provided by a system

6 Some Examples An employee should not know the salary of the manager (confidentiality) An employee should not be able to update own salary record (integrity) Salary slips should be printed on the last day of the month (availability)

7 Security Goals Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Data confidentiality – Customer account data (credit cards, identity) – Trade secrets – Administrative data (passwords, configuration) Data integrity – Administrative data – Software downloads (patches, free tools) – Web pages

8 Security Goals Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 System integrity – System binaries – Kernel System/network availability – Network bandwidth – Network services (auth, file, mail, print) – Disk space

9 Interesting Situation You are the security admin of a company. One day you notice that an employee is downloading a very big file. You notice that downloading a file is not exactly against company policy. Should you flag this as a security issue?

10 An Even More Interesting Situation User uploads some financial documents on Microsoft Cloud. You (Microsoft) analyze these documents and determine that user owes back taxes to the IRS …..

11 Security Objectives (continued) Prevention is more fundamental – Detection seeks to prevent by threat of punitive action – Detection often requires systems that must be prevented from alteration Sometimes detection is the only option – Modification of messages on a network

12 More Security Objectives Authenticity – The property of being genuine and being able to be verified and trusted – Note similarity with integrity Accountability – Requirement that actions of an entity should be traceable to that entity – Acts as deterrence Non-repudiation – Requirement that an entity is not able to deny or reject the validity of its past action – Needed for proper accountability

13 Computer Security Challenges 1.Not simple 2.Must consider potential attacks 3.Procedures used may be counter-intuitive 4.Involve algorithms and secret info 5.Must decide where to deploy mechanisms 6.Battle of wits between attacker / admin 7.Not perceived on benefit until fails 8.Requires regular monitoring 9.Too often an after-thought 10.Regarded as impediment to using system

14 Systems Security Components / Terminology

15 History Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 “War Games” – Kid movie that brought security to light – Young man finds a back door into a military super computer to run a nuclear war simulation, believing it to be a computer game. Causes a national nuclear missile scare and nearly starts WW III 1988 – Morris worm – Millions of dollars and thousands of hours wasted – First real global attack Still a wide open issue

16 Security by Obscurity If we hide the inner workings of a system, it will be secure Bad idea – Less and less applicable in the emerging world of vendor independent open standards – Less and less applicable in a world of widespread computer knowledge and expertise

17 Security by Legislation If we instruct our users on how to behave, we can secure a system Bad idea – User awareness and cooperation is important but cannot be the principal focus for achieving security – Human beings tend to defy authority

18 Weakest Link In Computer Security Human beings are often considered the weakest link – 95% of all attacks were directed against the home computer user in 2007 – End-users are frequently exposed to security risks through routine on-line activities such as checking or web browsing – Many recent attacks indicate that end-users are increasingly becoming a new form of threat in cyber-space, the so-called unwitting accomplice

19 Vulnerabilities, Threats and Attacks System resource vulnerabilities – Be corrupted (loss of integrity) – Become leaky (loss of confidentiality) – Become unavailable (loss of availability) Attacks are threats carried out and may be – Passive – Active – Insider – Outsider

20 Vulnerabilities Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall Bad/default passwords. 2.Unused services with open ports. 3.Unpatched software vulnerabilities. 4.Transmitting confidential data in cleartext. 5.Open modems or wireless networks. 6.Physical access to critical systems. 7.Uneducated users.

21 Vulnerability Databases Repository for vulnerability data – Security checklists – Security related software flaws – Misconfigurations – Impact metrics National Vulnerability Database (NVD) – Open Source Vulnerability Database (OSVDB) – Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

22 Some Common Security Threats

23 Threat Motives Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Financial motives – Identity theft – Phishing – Spam – Extortion – Botnets Political motives – Danish sites hacked after Mohammed cartoons. Personal motives – Just for fun. – Insider revenge.

24 Threat Consequences Unauthorized disclosure – Exposure, interception, inference, intrusion Deception – Masquerade, falsification, repudiation Disruption – Incapacitation, corruption, obstruction Usurpation – misappropriation, misuse

25 Attacks Classified as passive or active Passive attacks are eavesdropping – Release of message contents – Traffic analysis Are hard to detect so aim to prevent Active attacks modify/fake data – Masquerade – Replay – Modification – Denial of service Hard to prevent so aim to detect

26 How Systems Are Attacked Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

27 How Systems Are Attacked (continued) Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

28 Example Networked System Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

29 Attack Trees Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

30 Types of attacks Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Social engineering – Cold calls, shoulder surfing, phishing, – Alleviated by training, communication, etc. Software vulnerabilities – Buffer overflows, known bugs – Patching Configuration errors – Complex – takes time and knowledge to do it right – Easy to bypass

31 Risk Management Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Risk is the relationship between your assets, the vulnerabilities characteristic to those assets, and attackers who wish to access or modify those assets.

32 Security Tips Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Packet filtering Unnecessary services Software patches Backups Passwords Vigilance

33 Rules of Thumb Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Don’t put files of interest on your system Security policy should specify how info is handled Don’t provide homes for hackers Set traps to detect intrusions Monitor reports from your security tools Teach yourself about security Be nosy – prowl around looking for unusual activity

34 Password mgmt. Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Poor password management is common weakness – Indirect information – Passwords easily hacked Steps – Run the common password checker often – Check for null passwords – Password maintenance – Password aging – No group logins – Su to root

35 SetUID programs Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Prone to security holes Minimize the number of them Use pseudo-users rather than root Make pseudo-users home directory be /dev/null Disable on public filesystems

36 Security issues Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Remote event logging – Use syslog Secure terminals – Configure to disable root logins from SSH, VPNs, etc NIS – known to have security issues NFS4 – security enhancements Sendmail – runs as root – Keep up to date

37 Security issues – cont’d Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Viruses and worms – Not widely prevalent on Linux – Less market share than windows – Access controlled environment Trojan horses – Programs get Trojan horses embedded in them – Keep software up to date Rootkits – Hiding system information

38 Assets Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall Login account. 2.Network bandwidth. 3.Disk space. 4.Data. 5.Reputation.

39 Defenses Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Vulnerability mitigation – Use secure authentication systems. – Deploy software in secure configuration. – Patch security flaws quickly. Attack mitigation – Firewalls to prevent network attacks. – IDS to detect attacks. – Virus/spyware scanners.

40 OS Hardening Secure the physical system. Install only necessary software. Keep security patches up to date. Delete or disable unnecessary user accounts. Use secure passwords. Disable remote access except where necessary. Use sudo instead of su. Run publicly accessible services in a jail. Check logs regularly. Configure firewall on each host. Run security scanner to check security. Document security configuration. Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

41 Secure the physical system Place servers in a physically secure location. Physically secure the case. Place ID tags on all hardware. Password protect the BIOS. Disable booting from removable media. Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

42 Install only Necessary Software Put different services on different hosts. – A compromise in ftp shouldn’t compromise mail. – Improves reliability and maintainability too. Common unnecessary packages – X-Windows – Software development (gcc, gdb, etc.) Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

43 Security Patches Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Subscribe to vendor security patch list. – Or know vendor’s update schedule. – MS Windows updates on 2 nd Tuesday. Update test host first. – up2date -u – Patches can sometimes break services. Update other hosts after that. – May need to schedule downtown if reboot required.

44 Use Secure Passwords Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Attacks against Passwords – Password sniffing – Password guessing via login – Password cracking Defences – Do not transfer passwords over the network. – Secure /etc/{passwd,shadow} – Configure password quality/aging rules. – Test your passwords by cracking them.

45 PAM Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Problem: Many programs require authentication. Ex: ftp, rlogin, ssh, etc. New auth schemes require rewrites. Ex: longer passwords, keys, one-time passwords Solution: Separate authentication from programs. Store auth in Pluggable Authentication Modules. Programs choose PAMs to use at runtime by reading config files.

46 PAM Configuration Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Configured under /etc/pam.d Each PAM-aware service has a file there. Format: Module interface: one of 4 module types. Control flag: how module will react to failure or success (multiple successes may be required.) Module name: PAM shared library. Module args: Files to use, other options.

47 Module Interfaces Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 auth — Authenticates use of service. For example, it may request and verify a password. account — Verifies that access is permitted, e.g. check for expired accounts or location/time. password — Sets and verifies passwords. session — Configures and manages user sessions, e.g. mounting user home directories or mailboxes.

48 Module Stacking Example Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 rlogin PAM requirements The file /etc/nologin must not be present. Root may not login over network. Environment variables may be loaded. ~/.rhosts entry allows login without password. Otherwise perform standard password login. PAM config file auth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts_auth.so auth required pam_stack.so service=system-auth

49 Control Flags Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 required — Module result must be successful for authentication to continue. User is not notified on failure until results on all modules referencing that interface are available. requisite — Module result must be successful for authentication to continue. User is notified immediately with a message reflecting the first failed required or requisite module. sufficient — Module result ignored if it fails. If a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service. optional — Module result is ignored. Only necessary for successful authentication when no other modules reference the interface.

50 Password Quality Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Use pam_cracklib.so in system-auth Options retry=#: Maximum # of retries. minlen=#: Minimum password length. lcredit=#: Min # of lower case letters. ucredit=#: Min # of upper case letters. dcredit=#: Min # of digits. ocredit=#: Min # of other chars.

51 Password Aging Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Configure /etc/login.defs before creating accounts. PASS_MAX_DAYS: Max # of days before password expires. PASS_MIN_DAYS: Min # of days before user can change pw. PASS_WARN_AGE: # of days for pw change notice given. Also configure /etc/default/useradd INACTIVE: # of days after pw expiration that account is disabled. EXPIRE: Account expiration date in format YYYY-MM-DD. Remember old passwords with pam_unix.so Prevents users from changing password back to old value. Modify /etc/pam.d/system-auth Set pam_unix.so option remember=26 Create /etc/security/opasswd to store old passwords.

52 Disable Unnecessary Accounts Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 /etc/passwd contains application accounts. – Delete unnecessary application accounts. – Common ex: uucp, games, gdm, xfs, rpcuser, rpc – All should have locked passwords. – Set shell to /bin/noshell or /bin/false. Disable user accounts immediately on termination of employment.

53 Disabling Remote Access Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Disable cleartext protocols – telnet, ftp, rsh, rlogin Disable root access via ssh. – Set PermitRootLogin to “no” in sshd_config Remove root non-terminal consoles – Set in /etc/securetty Disable password access via ssh – Use keys instead.

54 sudo Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Login as root only for single-user mode. Use sudo instead of su. – sudo command – Advantages: Uses user password instead of root’s password. Logs who executed what commands as root. Can delegate limited powers to some users.

55 Jails Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Complete isolation: virtual machines. Partial isolation: chroot – chroot /var/httpd httpd – chroot filesystem needs: /var/httpd/etc: limited /etc/{passwd,shadow,group} /var/httpd/usr/lib shared libraries /var/httpd/bin: extra binaries /var/httpd/var/log: log space /var/httpd/tmp: temporary space

56 Check Logs Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Review logs every morning. Better yet, have a program scan them. Send logs to a central server for – security: attacker can’t hide tracks by deleting – ease of use: you can read all logs in one place

57 Firewalls and Intrusion Prevention Systems effective means of protecting LANs internet connectivity essential – for organization and individuals – but creates a threat could secure workstations and servers also use firewall as perimeter defence – single choke point to impose security Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

58 Firewall Capabilities & Limits capabilities: – defines a single choke point – provides a location for monitoring security events – convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs limitations: – cannot protect against attacks bypassing firewall – may not protect fully against internal threats – improperly secure wireless LAN – laptop, PDA, portable storage device infected outside then used inside Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

59 Types of Firewalls Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

60 Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header – src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields – if match rule says if forward or discard packet two default policies: – discard - prohibit unless expressly permitted more conservative, controlled, visible to users – forward - permit unless expressly prohibited easier to manage/use but less secure Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

61 Packet Filter Rules Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

62 Packet Filter Weaknesses weaknesses – cannot prevent attack on application bugs – limited logging functionality – do no support advanced user authentication – vulnerable to attacks on TCP/IP protocol bugs – improper configuration can lead to breaches attacks – IP address spoofing, source route attacks, tiny fragment attacks Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

63 Stateful Inspection Firewall reviews packet header information but also keeps info on TCP connections – typically have low, “known” port no for server – and high, dynamically assigned client port no – simple packet filter must allow all return high port numbered packets back in – stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections – only allow incoming traffic to high-numbered ports for packets matching an entry in this directory – may also track TCP seq numbers as well Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

64 Application-Level Gateway acts as a relay of application-level traffic – user contacts gateway with remote host name – authenticates themselves – gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application – may restrict application features supported more secure than packet filters but have higher overheads Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

65 Circuit-Level Gateway sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents – hence independent of application logic – just determines whether relay is permitted typically used when inside users trusted – may use application-level gateway inbound and circuit-level gateway outbound – hence lower overheads Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

66 SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP applications to use firewall components: – SOCKS server on firewall – SOCKS client library on all internal hosts – SOCKS-ified client applications client app contacts SOCKS server, authenticates, sends relay request server evaluates & establishes relay connection UDP handled with parallel TCP control channel Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

67 Firewall Basing Several options for locating firewall: – Bastion host – Individual host-based firewall – Personal firewall Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

68 Bastion Hosts critical strongpoint in network hosts application/circuit-level gateways common characteristics: – runs secure O/S, only essential services – may require user auth to access proxy or host – each proxy can restrict features, hosts accessed – each proxy small, simple, checked for security – each proxy is independent, non-privileged – limited disk use, hence read-only code Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

69 Host-Based Firewalls used to secure individual host available in/add-on for many O/S filter packet flows often used on servers advantages: – taylored filter rules for specific host needs – protection from both internal / external attacks – additional layer of protection to org firewall Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

70 Personal Firewall controls traffic flow to/from PC/workstation for both home or corporate use may be software module on PC or in home cable/DSL router/gateway typically much less complex primary role to deny unauthorized access may also monitor outgoing traffic to detect/block worm/malware activity Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

71 Firewall Locations Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

72 Virtual Private Networks Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

73 Distributed Firewalls Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

74 Firewall Topologies host-resident firewall screening router single bastion inline single bastion T double bastion inline double bastion T distributed firewall configuration Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

75 Intrusion Prevention Systems (IPS) recent addition to security products which – inline net/host-based IDS that can block traffic – functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network or host based Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

76 Host-Based IPS identifies attacks using both: – signature techniques malicious application packets – anomaly detection techniques behavior patterns that indicate malware can be tailored to the specific platform – e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

77 Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection – monitoring full application flow content can identify malicious packets using: – pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf. SNORT inline can drop/modify packets Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

78 Unified Threat Management Products Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014

79 Security Scanning Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014 Scan host security – Run bastille on host. Scan network security – Scan for open ports with nmap. – Scan for vulnerabilities with nessus.

80 Intrusion Detection Host-based intrusion detection – Check if system files are modified. – Check for config / process modifications. – Tools: tripwrite, osiris, samhain Network-based intrusion detection – NIDS = Sniffer + traffic analysis + alert system. – Check for suspicious activities: port scans, etc. – Check for attack signatures: worms, etc. – Tools: snort, air snort Dr. Indrajit Ray, Computer Science Department CT 320 – Network and Systems Administration, Fall 2014


Download ppt "CT 320: Network and System Administration Fall 2014 * Dr. Indrajit Ray Department of Computer."

Similar presentations


Ads by Google